sql = "insert into tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)"
sql = sql & "values('" & txtNurseid.Text & "','" & TxtNursename.Text & "','" & Cmbdept.Text & "',convert(date,'" & DateTimePicker1.Value & "',103),convert(date,'" & DateTimePicker2.Value & "',103),'" & Txtqualification.Text & "','" & txtsalary.Text & "')"
conn.Execute(sql)
答案 0 :(得分:3)
您应该使用sql-parameters来避免sql-injection,并防止出现此类转化问题。
假设SQL-Server的示例:
Const sql = "INSERT INTO tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)" & vbCrLf & _
"VALUES(@nurseid, @nursename, @deptname, @dob, @doj, @qualification, @salary)"
Using con = New SqlConnection("Insert Your Connection String Here")
Using cmd = New SqlCommand(sql, con)
cmd.Parameters.AddWithValue("@nurseid", txtNurseid.Text)
cmd.Parameters.AddWithValue("@nursename", TxtNursename.Text)
cmd.Parameters.AddWithValue("@deptname", Cmbdept.Text)
' -- No conversion problems anymore because you pass a DateTime -- '
cmd.Parameters.AddWithValue("@dob", DateTimePicker1.Value)
' ... other parameters ... '
con.Open()
Dim affectedRecords As Int32 = cmd.ExecuteNonQuery()
End Using
End Using
答案 1 :(得分:0)
尝试改变这样..
sql = "insert into tbl_nurse(nurseid,nursename,deptname,dob,doj,qualification,salary)"
sql = sql & " values('" & txtNurseid.Text & "','" & TxtNursename.Text & "','" & Cmbdept.Text & "',#" & format(DateTimePicker1.Value.Date) & "#,#" & format(DateTimePicker2.Value.Date) & "#,'" & Txtqualification.Text & "','" & txtsalary.Text & "')"
conn.Execute(sql)
正如Tim Scmelter所说..你最好使用参数化输入
答案 2 :(得分:0)
如下添加参数,它的作用就像魅力
cmnd.Parameters.Add("@date_time", SqlDbType.DateTime).Value = datetime.Date;
原帖在这里: